diff --git a/manpages-lite/shorewall-lite.xml b/manpages-lite/shorewall-lite.xml new file mode 100644 index 000000000..70331fb30 --- /dev/null +++ b/manpages-lite/shorewall-lite.xml @@ -0,0 +1,1053 @@ +<?xml version="1.0" encoding="UTF-8"?> +<refentry> + <refmeta> + <refentrytitle>shorewall</refentrytitle> + + <manvolnum>8</manvolnum> + </refmeta> + + <refnamediv> + <refname>shorewall</refname> + + <refpurpose>Administration tool for Shoreline Firewall + (Shorewall)</refpurpose> + </refnamediv> + + <refsynopsisdiv> + <cmdsynopsis> + <command>shorewall</command> + + <arg rep="norepeat">-options</arg> + + <command>add</command> + + <arg choice="plain" rep="repeat">interface[:host-list]</arg> + + <arg choice="plain">zone</arg> + + <sbr /> + </cmdsynopsis> + + <cmdsynopsis> + <command>shorewall</command> + + <arg>-options</arg> + + <command>allow</command> + + <arg choice="plain">address</arg> + </cmdsynopsis> + + <cmdsynopsis> + <command>shorewall</command> + + <arg>-options</arg> + + <command>check</command> + + <arg><option>-e</option></arg> + + <arg>directory</arg> + </cmdsynopsis> + + <cmdsynopsis> + <command>shorewall</command> + + <arg>-options</arg> + + <command>clear</command> + </cmdsynopsis> + + <cmdsynopsis> + <command>shorewall</command> + + <arg>-options</arg> + + <command>compile</command> + + <arg><option>-e</option></arg> + + <arg>directory</arg> + + <arg choice="plain">pathname</arg> + </cmdsynopsis> + + <cmdsynopsis> + <command>shorewall</command> + + <arg rep="norepeat">-options</arg> + + <command>delete</command> + + <arg choice="plain" rep="repeat">interface[:host-list]</arg> + + <arg choice="plain">zone</arg> + + <sbr /> + </cmdsynopsis> + + <cmdsynopsis> + <command>shorewall</command> + + <arg>-options</arg> + + <command>drop</command> + + <arg choice="plain">address</arg> + </cmdsynopsis> + + <cmdsynopsis> + <command>shorewall</command> + + <arg>-options</arg> + + <command>dump</command> + + <arg><option>-x</option></arg> + + <arg><option>-m</option></arg> + </cmdsynopsis> + + <cmdsynopsis> + <command>shorewall</command> + + <arg>-options</arg> + + <command>export</command> + + <arg choice="opt">directory1</arg> + + <arg choice="plain">[user@]system:[directory2]</arg> + </cmdsynopsis> + + <cmdsynopsis> + <command>shorewall</command> + + <arg>-options</arg> + + <command>forget</command> + + <arg>filename</arg> + </cmdsynopsis> + + <cmdsynopsis> + <command>shorewall</command> + + <arg>-options</arg> + + <command>help</command> + + <group> + <arg choice="plain">command</arg> + </group> + </cmdsynopsis> + + <cmdsynopsis> + <command>shorewall</command> + + <arg>-options</arg> + + <command>hits</command> + </cmdsynopsis> + + <cmdsynopsis> + <command>shorewall</command> + + <arg>-options</arg> + + <command>ipcalc</command> + + <group choice="req"> + <arg choice="plain">address mask</arg> + + <arg choice="plain">address/vlsm</arg> + </group> + </cmdsynopsis> + + <cmdsynopsis> + <command>shorewall</command> + + <arg>-options</arg> + + <command>iprange</command> + + <arg choice="plain">address1-address2</arg> + </cmdsynopsis> + + <cmdsynopsis> + <command>shorewall</command> + + <arg>-options</arg> + + <command>load</command> + + <arg><option>-s</option></arg> + + <arg><option>-c</option></arg> + + <arg>directory</arg> + + <arg choice="plain">system</arg> + + <arg></arg> + </cmdsynopsis> + + <cmdsynopsis> + <command>shorewall</command> + + <arg>-options</arg> + + <command>logdrop</command> + + <arg choice="plain">address</arg> + </cmdsynopsis> + + <cmdsynopsis> + <command>shorewall</command> + + <arg>-options</arg> + + <command>logwatch</command> + + <arg><option>-m</option></arg> + + <arg>refresh-interval</arg> + </cmdsynopsis> + + <cmdsynopsis> + <command>shorewall</command> + + <arg>-options</arg> + + <command>logreject</command> + + <arg choice="plain">address</arg> + </cmdsynopsis> + + <cmdsynopsis> + <command>shorewall</command> + + <arg>-options</arg> + + <command>refresh</command> + </cmdsynopsis> + + <cmdsynopsis> + <command>shorewall</command> + + <arg>-options</arg> + + <command>reject</command> + + <arg choice="plain">address</arg> + </cmdsynopsis> + + <cmdsynopsis> + <command>shorewall</command> + + <arg>-options</arg> + + <command>reload</command> + + <arg><option>-s</option></arg> + + <arg><option>-c</option></arg> + + <arg>directory</arg> + + <arg choice="plain">system</arg> + </cmdsynopsis> + + <cmdsynopsis> + <command>shorewall</command> + + <arg>-options</arg> + + <command>restart</command> + + <arg>directory</arg> + </cmdsynopsis> + + <cmdsynopsis> + <command>shorewall</command> + + <arg>-options</arg> + + <command>restore</command> + + <arg>filename</arg> + </cmdsynopsis> + + <cmdsynopsis> + <command>shorewall</command> + + <arg>-options</arg> + + <command>safe-restart</command> + </cmdsynopsis> + + <cmdsynopsis> + <command>shorewall</command> + + <arg>-options</arg> + + <command>safe-start</command> + </cmdsynopsis> + + <cmdsynopsis> + <command>shorewall</command> + + <arg>-options</arg> + + <command>save</command> + + <arg choice="opt">filename</arg> + </cmdsynopsis> + + <cmdsynopsis> + <command>shorewall</command> + + <arg>-options</arg> + + <command>show</command> + + <arg><option>-x</option></arg> + + <arg rep="repeat">chain</arg> + </cmdsynopsis> + + <cmdsynopsis> + <command>shorewall</command> + + <arg>-options</arg> + + <command>show</command> + + <arg><option>-f</option></arg> + + <command>capabilities</command> + </cmdsynopsis> + + <cmdsynopsis> + <command>shorewall</command> + + <arg>-options</arg> + + <command>show</command> + + <arg + choice="req"><option>actions|classifiers|connections|config|macros|zones</option></arg> + </cmdsynopsis> + + <cmdsynopsis> + <command>shorewall</command> + + <arg>-options</arg> + + <command>show</command> + + <arg><option>-x</option></arg> + + <arg choice="req"><option>mangle|nat</option></arg> + </cmdsynopsis> + + <cmdsynopsis> + <command>shorewall</command> + + <arg>-options</arg> + + <command>show</command> + + <arg choice="plain"><option>tc</option></arg> + </cmdsynopsis> + + <cmdsynopsis> + <command>shorewall</command> + + <arg>-options</arg> + + <command>show</command> + + <arg><option>-m</option></arg> + + <command>log</command> + </cmdsynopsis> + + <cmdsynopsis> + <command>shorewall</command> + + <arg>-options</arg> + + <command>start</command> + + <arg><option>-f</option></arg> + + <arg>directory</arg> + </cmdsynopsis> + + <cmdsynopsis> + <command>shorewall</command> + + <arg>-options</arg> + + <command>stop</command> + </cmdsynopsis> + + <cmdsynopsis> + <command>shorewall</command> + + <arg>-options</arg> + + <command>status</command> + </cmdsynopsis> + + <cmdsynopsis> + <command>shorewall</command> + + <arg>-options</arg> + + <command>try</command> + + <arg choice="plain">directory</arg> + + <arg>timeout</arg> + </cmdsynopsis> + + <cmdsynopsis> + <command>shorewall</command> + + <arg>-options</arg> + + <command>version</command> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1> + <title>Description</title> + + <para>The shorewall utility is used to control the Shoreline Firewall + (Shorewall).</para> + </refsect1> + + <refsect1> + <title>Options</title> + + <para>The <emphasis>options</emphasis> control the amount of output that + the command produces. They consist of a sequence of the letters <emphasis + role="bold">v</emphasis> and <emphasis role="bold">q</emphasis>. If the + options are omitted, the amount of output is determined by the setting of + the VERBOSITY parameter in shorewall.conf(5). Each <emphasis + role="bold">v</emphasis> adds one to the effective verbosity and each + <emphasis role="bold">q</emphasis> subtracts one from the effective + VERBOSITY.</para> + </refsect1> + + <refsect1> + <title>Commands</title> + + <para>The available commands are listed below.</para> + + <variablelist> + <varlistentry> + <term><emphasis role="bold">add</emphasis></term> + + <listitem> + <para>Adds a list of hosts or subnets to a dynamic zone usually used + with VPN's.</para> + + <para>The <emphasis>interface</emphasis> argument names an interface + defined in the shorewall-interfaces(5) file. A + <emphasis>host-list</emphasis> is comma-separated list whose + elements are:</para> + + <programlisting> A host or network address + The name of a bridge port + The name of a bridge port followed by a colon (:) and a host or network address</programlisting> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis role="bold">allow</emphasis></term> + + <listitem> + <para>Re-enables receipt of packets from hosts previously + blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis + role="bold">logdrop</emphasis>, <emphasis + role="bold">reject</emphasis>, or <emphasis + role="bold">logreject</emphasis> command.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis role="bold">check</emphasis></term> + + <listitem> + <para>Compiles the configuraton in the specified + <emphasis>directory</emphasis> and discards the compiled output + script. If no <emphasis>directory</emphasis> is given, then + /etc/shorewall is assumed.</para> + + <para>The <emphasis role="bold">-e</emphasis> option causes the + compiler to look for a file named capabilities. This file is + produced using the command <emphasis role="bold">shorewall-lite show + -f capabilities > capabities</emphasis> on a system with + Shorewall Lite installed.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis role="bold">clear</emphasis></term> + + <listitem> + <para>Clear will remove all rules and chains installed by Shorewall. + The firewall is then wide open and unprotected. Existing connections + are untouched. Clear is often used to see if the firewall is causing + connection problems.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis role="bold">compile</emphasis></term> + + <listitem> + <para>Compiles the current configuration into the executable file + <emphasis>pathname</emphasis>. If a directory is supplied, Shorewall + will look in that directory first for configuration files.</para> + + <para>When -e is specified, the compilation is being performed on a + system other than where the compiled script will run. This option + disables certain configuration options that require the script to be + compiled where it is to be run. The use of -e requires the presense + of a configuration file named capabilities which may be produced + using the command <emphasis role="bold">shorewall-lite show -f + capabilities > capabities</emphasis> on a system with Shorewall + Lite installed</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis role="bold">delete</emphasis></term> + + <listitem> + <para>The delete command reverses the effect of an earlier <emphasis + role="bold">add</emphasis> command.</para> + + <para>The <emphasis>interface</emphasis> argument names an interface + defined in the shorewall-interfaces(5) file. A + <emphasis>host-list</emphasis> is comma-separated list whose + elements are:</para> + + <programlisting> A host or network address + The name of a bridge port + The name of a bridge port followed by a colon (:) and a host or network address</programlisting> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis role="bold">drop</emphasis></term> + + <listitem> + <para>Causes traffic from the listed <emphasis>address</emphasis>es + to be silently dropped.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis role="bold">dump</emphasis></term> + + <listitem> + <para>Produces a verbose report about the firewall configuration for + the purpose of problem analysis.</para> + + <para>The <emphasis role="bold">-x</emphasis> option causes actual + packet and byte counts to be displayed. Without that option, these + counts are abbreviated. The <emphasis role="bold">-m</emphasis> + option causes any MAC addresses included in Shorewall log messages + to be displayed.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis role="bold">export</emphasis></term> + + <listitem> + <para>If <emphasis>directory1</emphasis> is omitted, the current + working directory is assumed.</para> + + <para>Allows a non-root user to compile a shorewall script and stage + it on a system (provided that the user has access to the system via + ssh). The command is equivalent to:</para> + + <programlisting> <emphasis role="bold">/sbin/shorewall compile -e</emphasis> <emphasis>directory1</emphasis> <emphasis>directory1</emphasis><emphasis + role="bold">/firewall &&\</emphasis> + <emphasis role="bold">scp</emphasis> directory1<emphasis role="bold">/firewall</emphasis> <emphasis>directory1</emphasis><emphasis + role="bold">/firewall.conf</emphasis> [<emphasis>user</emphasis>@]<emphasis + role="bold">system</emphasis>:[<emphasis>directory2</emphasis>]</programlisting> + + <para>In other words, the configuration in the specified (or + defaulted) directory is compiled to a file called firewall in that + directory. If compilation succeeds, then firewall and firewall.conf + are copied to <emphasis>system</emphasis> using scp.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis role="bold">forget</emphasis></term> + + <listitem> + <para>Deletes /var/lib/shorewall/<emphasis>filenam</emphasis>e and + /var/lib/shorewall/save. If no <emphasis>filename</emphasis> is + given then the file specified by RESTOREFILE in shorewall.conf(5) is + assumed.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis role="bold">help</emphasis></term> + + <listitem> + <para>Displays information about a particular + <emphasis>command</emphasis>. If no <emphasis>command</emphasis> is + given, a syntax summary is displayed.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis role="bold">hits</emphasis></term> + + <listitem> + <para>Generates several reports from Shorewall log messages in the + current log file.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis role="bold">ipcalc</emphasis></term> + + <listitem> + <para>Ipcalc displays the network address, broadcast address, + network in CIDR notation and netmask corresponding to the + input[s].</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis role="bold">iprange</emphasis></term> + + <listitem> + <para>Iprange decomposes the specified range of IP addresses into + the equivalent list of network/host addresses.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis role="bold">load</emphasis></term> + + <listitem> + <para>If <emphasis>directory</emphasis> is omitted, the current + working directory is assumed. Allows a non-root user to compile a + shorewall script and install it on a system (provided that the user + has root access to the system via ssh). The command is equivalent + to:</para> + + <programlisting> <emphasis role="bold">/sbin/shorewall compile -e</emphasis> <emphasis>directory</emphasis> <emphasis>directory</emphasis><emphasis + role="bold">/firewall &&\</emphasis> + <emphasis role="bold">scp</emphasis> <emphasis>directory</emphasis><emphasis + role="bold">/firewall</emphasis> <emphasis>directory</emphasis><emphasis + role="bold">/firewall.conf</emphasis> <emphasis role="bold">root@</emphasis><emphasis>system</emphasis><emphasis + role="bold">:/var/lib/shorewall-lite/ &&\</emphasis> + <emphasis role="bold">ssh root@</emphasis><emphasis>system</emphasis> <emphasis + role="bold">'/sbin/shorewall-lite start'</emphasis></programlisting> + + <para>In other words, the configuration in the specified (or + defaulted) directory is compiled to a file called firewall in that + directory. If compilation succeeds, then firewall is copied to + <emphasis>system</emphasis> using scp. If the copy succeeds, + Shorewall Lite on <emphasis>system</emphasis> is started via + ssh.</para> + + <para>If <emphasis role="bold">-s</emphasis> is specified and the + <emphasis role="bold">start</emphasis> command succeeds, then the + remote Shorewall-lite configuration is saved by executing <emphasis + role="bold">shorewall-lite save</emphasis> via ssh.</para> + + <para>if <emphasis role="bold">-c</emphasis> is included, the + command <emphasis role="bold">shorewall-lite show capabilities -f + > /var/lib/shorewall-lite/capabilities</emphasis> is executed via + ssh then the generated file is copied to + <emphasis>directory</emphasis> using scp. This step is performed + before the configuration is compiled.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis role="bold">logdrop</emphasis></term> + + <listitem> + <para>Causes traffic from the listed <emphasis>address</emphasis>es + to be logged then discarded.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis role="bold">logwatch</emphasis></term> + + <listitem> + <para>Monitors the log file specified by theLOGFILE option in + shorewall.conf(5) and produces an audible alarm when new Shorewall + messages are logged. The <emphasis role="bold">-m</emphasis> option + causes the MAC address of each packet source to be displayed if that + information is available.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis role="bold">logreject</emphasis></term> + + <listitem> + <para>Causes traffic from the listed <emphasis>address</emphasis>es + to be logged then rejected.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis role="bold">refresh</emphasis></term> + + <listitem> + <para>The rules involving the the black list, ECN control rules, and + traffic shaping are recreated to reflect any changes made to your + configuration files. Existing connections are untouched.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis role="bold">reload</emphasis></term> + + <listitem> + <para>If <emphasis>directory</emphasis> is omitted, the current + working directory is assumed. Allows a non-root user to compile a + shorewall script and install it on a system (provided that the user + has root access to the system via ssh). The command is equivalent + to:</para> + + <programlisting> <emphasis role="bold">/sbin/shorewall compile -e</emphasis> <emphasis>directory</emphasis> <emphasis>directory</emphasis><emphasis + role="bold">/firewall &&\</emphasis> + <emphasis role="bold">scp</emphasis> <emphasis>directory</emphasis><emphasis + role="bold">/firewall</emphasis> <emphasis>directory</emphasis><emphasis + role="bold">/firewall.conf</emphasis> <emphasis role="bold">root@</emphasis><emphasis>system</emphasis><emphasis + role="bold">:/var/lib/shorewall-lite/ &&\</emphasis> + <emphasis role="bold">ssh root@</emphasis><emphasis>system</emphasis> <emphasis + role="bold">'/sbin/shorewall-lite restart'</emphasis></programlisting> + + <para>In other words, the configuration in the specified (or + defaulted) directory is compiled to a file called firewall in that + directory. If compilation succeeds, then firewall is copied to + <emphasis>system</emphasis> using scp. If the copy succeeds, + Shorewall Lite on <emphasis>system</emphasis> is restarted via + ssh.</para> + + <para>If <emphasis role="bold">-s</emphasis> is specified and the + <emphasis role="bold">restart</emphasis> command succeeds, then the + remote Shorewall-lite configuration is saved by executing <emphasis + role="bold">shorewall-lite save</emphasis> via ssh.</para> + + <para>if <emphasis role="bold">-c</emphasis> is included, the + command <emphasis role="bold">shorewall-lite show capabilities -f + > /var/lib/shorewall-lite/capabilities</emphasis> is executed via + ssh then the generated file is copied to + <emphasis>directory</emphasis> using scp. This step is performed + before the configuration is compiled.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis role="bold">reset</emphasis></term> + + <listitem> + <para>All the packet and byte counters in the firewall are + reset.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis role="bold">restart</emphasis></term> + + <listitem> + <para>Restart is similar to <emphasis role="bold">shorewall + stop</emphasis> followed by <emphasis role="bold">shorewall + start</emphasis>. Existing connections are maintained. If a + <emphasis>directory</emphasis> is included in the command, Shorewall + will look in that <emphasis>directory</emphasis> first for + configuration files.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis role="bold">restore</emphasis></term> + + <listitem> + <para>Restore Shorewall to a state saved using the <emphasis + role="bold">shorewall save</emphasis> command. Existing connections + are maintained. The <emphasis>filename</emphasis> names a restore + file in /var/lib/shorewall created using <emphasis + role="bold">shorewall save</emphasis>; if no + <emphasis>filename</emphasis> is given then Shorewall will be + restored from the file specified by the RESTOREFILE option in + shorewall.conf(5).</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis role="bold">safe-restart</emphasis></term> + + <listitem> + <para>Only allowed if Shorewall is running. The current + configuration is saved in /var/lib/shorewall/safe-restart (see the + save command below) then a <emphasis role="bold">shorewall + restart</emphasis> is done. You will then be prompted asking if you + want to accept the new configuration or not. If you answer "n" or if + you fail to answer within 60 seconds (such as when your new + configuration has disabled communication with your terminal), the + configuration is restored from the saved configuration.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis role="bold">safe-start</emphasis></term> + + <listitem> + <para>Shorewall is started normally. You will then be prompted + asking if everything went all right. If you answer "n" or if you + fail to answer within 60 seconds (such as when your new + configuration has disabled communication with your terminal), a + shorewall clear is performed for you.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis role="bold">save</emphasis></term> + + <listitem> + <para>The dynamic blacklist is stored in /var/lib/shorewall/save. + The state of the firewall is stored in + /var/lib/shorewall/<emphasis>filename</emphasis> for use by the + <emphasis role="bold">shorewall restore</emphasis> and <emphasis + role="bold">shorewall -f start</emphasis> commands. If + <emphasis>filename</emphasis> is not given then the state is saved + in the file specified by the RESTOREFILE option in + shorewall.conf(5).</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis role="bold">show</emphasis></term> + + <listitem> + <para>The show command can have a number of different + arguments:</para> + + <variablelist> + <varlistentry> + <term>[ <emphasis>chain</emphasis> ] ...</term> + + <listitem> + <para>The rules in each <emphasis>chain</emphasis> are + displayed ssing the <emphasis role="bold">iptables + -L</emphasis> <emphasis>chain</emphasis> <emphasis + role="bold">-n -v</emphasis> command. If no + <emphasis>chain</emphasis> is given, all of the chains in the + filter table are displayed. The <emphasis + role="bold">-x</emphasis> option is passed directly through to + iptables and causes actual packet and byte counts to be + displayed. Without this option, those counts are + abbreviated.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis role="bold">actions</emphasis></term> + + <listitem> + <para>Produces a report about the available actions (built-in, + standard and user-defined).</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis role="bold">capabilities</emphasis></term> + + <listitem> + <para>Displays your kernel/iptables capabilities. The + <emphasis role="bold">-f</emphasis> option causes the display + to be formatted as a capabilities file for use with <emphasis + role="bold">compile -e</emphasis>.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis role="bold">classifiers</emphasis></term> + + <listitem> + <para>Displays information about the packet classifiers + defined on the system as a result of traffic shaping + configuration.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis role="bold">config</emphasis></term> + + <listitem> + <para>Dispays distribution-specific defaults.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis role="bold">connections</emphasis></term> + + <listitem> + <para>Displays the IP connections currently being tracked by + the firewall.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis role="bold">macros</emphasis></term> + + <listitem> + <para>Displays information about each macro defined on the + firewall system.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis role="bold">mangle</emphasis></term> + + <listitem> + <para>Displays the Netfilter mangle table using the command + <emphasis role="bold">iptables -t mangle -L -n + -v</emphasis>.The <emphasis role="bold">-x</emphasis> option + is passed directly through to iptables and causes actual + packet and byte counts to be displayed. Without this option, + those counts are abbreviated.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis role="bold">nat</emphasis></term> + + <listitem> + <para>Displays the Netfilter nat table using the command + <emphasis role="bold">iptables -t nat -L -n -v</emphasis>.The + <emphasis role="bold">-x</emphasis> option is passed directly + through to iptables and causes actual packet and byte counts + to be displayed. Without this option, those counts are + abbreviated.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis role="bold">tc</emphasis></term> + + <listitem> + <para>Displays information about queuing disciplines, classes + and filters.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis role="bold">zones</emphasis></term> + + <listitem> + <para>Displays the current composition of the Shorewall zones + on the system.</para> + </listitem> + </varlistentry> + </variablelist> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis role="bold">start</emphasis></term> + + <listitem> + <para>Start shorewall. Existing connections through shorewall + managed interfaces are untouched. New connections will be allowed + only if they are allowed by the firewall rules or policies. If a + <emphasis>directory</emphasis> is included in the command, Shorewall + will look in that <emphasis>directory</emphasis> first for + configuration files.If <emphasis role="bold">-f</emphasis> is + specified, the saved configuration specified by the RESTOREFILE + option in shorewall.conf(5) will be restored if that saved + configuration exists and has been modified more recently than the + files in /etc/shorewall.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis role="bold">stop</emphasis></term> + + <listitem> + <para>Stops the firewall. All existing connections, except those + listed in shorewall-routestopped(5) or permitted by the + ADMINISABSENTMINDED option in shorewall.conf(5), are taken down. The + only new traffic permitted through the firewall is from systems + listed in shorewall-routestopped(5) or by + ADMINISABSENTMINDED.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis role="bold">status</emphasis></term> + + <listitem> + <para>Produces a short report about the state of the + Shorewall-configured firewall.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis role="bold">try</emphasis> (Deprecated)</term> + + <listitem> + <para>Restart shorewall using the specified configuration. If an + error occurs during the restart, then another <emphasis + role="bold">shorewall restart</emphasis> is performed using the + default configuration. If a timeout is specified then the restart is + always performed after the timeout occurs and uses the default + configuration. When restarting using the default configuration, if + the default restore script (as specified by the RESTOREFILE setting + in shorewall.conf(5) exists. then that script is used.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><emphasis role="bold">version</emphasis></term> + + <listitem> + <para>Displays Shorewall.s version.</para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1> + <title>FILES</title> + + <para>/etc/shorewall/</para> + </refsect1> + + <refsect1> + <title>See ALSO</title> + + <para>shorewall-accounting(5), shorewall-actions(5), + shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5), + shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5), + shorewall-nat(5), shorewall-netmap(5), shorewall-params(5), + shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5), + shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5), + shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5), + shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5), + shorewall-zones(5)</para> + </refsect1> +</refentry> \ No newline at end of file